Setting Up Grouping Rules

General Description

One of the tools that allows optimizing the process of responding to incidents and their analysis is incident grouping.

The essence of grouping lies in combining similar incidents that possess identical characteristics into a single group. This allows transitioning from a scattered list of individual events to a more structured representation, identifying patterns, and simplifying situation analysis.

To implement such behavior, it is necessary to set up grouping rules. The rules determine which specific fields of the incident will be used for comparison and subsequent grouping.

Creating Grouping Rules

To access the rules by which incidents will be grouped, go to Menu - Incident Manager section - Grouping Rules Setup.

At the top of the interface, there is a search bar and filters for convenient rule management, as well as a button for creating new rules.

To create a grouping rule:

1. Click the Create button at the top of the interface.
2. Fill in the fields in the editor.
3. Click the Save button at the top or bottom of the interface.

Rule Editor

The editor consists of 4 sections: Basic, Comparison Fields, Functional Fields, and Additional Fields.

Basic

In the Basic section, the main grouping parameters are filled in:

• Name - the name of the rule that will be displayed in the list of rules

• Display Name - the name of the incident group in the Incident Manager

• Description - description of the incident group. Unlike individual incidents, when grouping, additional tokens become available that contain information about the group itself:

  • comparison_fields - indicates which field from the Comparison Fields section was used for grouping
  • function_fields - displays the results of function calculations applied to fields from the Functional Fields section
  • aggregation_info - stores information about the grouping settings, including the name of the current configuration
  • incidents_count - shows the total number of incidents combined into this group

• Workflow - the workflow that will be used for the group

• Closure Statuses - statuses that will be used to close the group

• Criticality - the importance level of the incident group

• Search Tasks - search tasks that will be used for grouping (tokens from the results of the tasks are available for Display Name and Description)

• Lifetime - the lifetime of the incident group

• Maximum Time Between Incidents - the maximum time between incidents for grouping

Comparison Fields

In the Comparison Fields section, you can set comparison parameters for grouping:

• Field Name - the field to be used in the tokens fields.<Field Name>
• Value - the value from the search task results
• Search Task - the search task whose fields will be used for comparison

Functional Fields

In the Functional Fields section, you can set fields to be displayed in the group.

• Field Name - the field to be used in the tokens fields.<Field Name>
• Value - the value from the search task results
• Function - the function that will be applied to the field from the search task results
• Search Task - the search task whose fields will be used for comparison

Using fields from this section is convenient, for example, when you need to specify in the group card which hosts were mentioned in all incidents of the group.

Additional Fields

In the Additional Fields section, you can set additional incident parameters that are changed in the module settings.

Editing Grouping Rules

To edit a grouping rule:

1. In the Grouping Rules table, in the Actions column, click the ... button.
2. Select the Edit action.
3. Make changes in the Rule Editor.
4. Click the Save button at the top or bottom of the interface.

Enabling and Disabling Grouping Rules

To enable and disable grouping rules:

1. In the Grouping Rules table, in the Actions column, click the ... button.
2. Select the Disable or Enable action.

Deleting Grouping Rules

To delete a grouping rule:

1. In the Grouping Rules table, in the Actions column, click the ... button.
2. Select the Delete action.